Logo Background

Tracking Origin Of Server Attack

  • By on August 23, 2008 | No Comments

    Looking through your IDS logs, you’ve seen some strange traffic coming from another network across the Internet. When you look up the IP address in DNS, it resolves as something like dhcp-103.badguydomain.com. Whom do you contact to help track down the person who sent this traffic?

    You’re probably already aware that you can use the whois command to find out contact information for owners of Internet domain names. If you haven’t used whois, it’s as simple as typing, well, “whois”:

    UNIX> whois badguydomain.com

    Registrant:
    Steven Crisack

    Registered through: GoDaddy.com
    Domain Name: BADGUYDOMAIN.COM

    Domain servers in listed order:
    PARK13.SECURESERVER.NET
    PARK14.SECURESERVER.NET

    Unfortunately, this whois enTRy isn’t as helpful as it might be. Normally, administrative and technical contacts are listed, complete with a phone number and email and snail mail addresses. Evidently, godaddy.com has a policy of releasing this information only through its web interface, apparently to cut down on spam harvesters. But if the registrant’s name is listed as “Steven Crisack” how accurate do you think the rest of this domain record is likely to be? Although domain registrants are “required” to give legitimate information when setting up domains, I can tell you from experience that using whois in this way is actually only a great way to track down honest people.

    Since this approach doesn’t get you anywhere, what other options do you have? Well, you can use the whois command again, this time using it to query the number registry for the IP address block containing the offending address.

    UNIX> whois -h whois.arin.net 208.201.239.103
    [Querying whois.arin.net]
    [whois.arin.net]
    Final results obtained from whois.arin.net.
    Results:
    UUNET Technologies, Inc. UUNET1996B (NET-208-192-0-0-1)
    208.192.0.0 – 208.255.255.255
    SONIC.NET, INC. UU-208-201-224 (NET-208-201-224-0-1)
    208.201.224.0 – 208.201.255.255

    # ARIN WHOIS database, last updated 2004-01-18 19:15
    # Enter ? for additional hints on searching ARIN’s WHOIS database.

    Our query returned multiple results, which will happen sometimes when an owner of a larger IP block has delegated a sub-block to another party. In this case, UUNET has delegated a sub-block to Sonic.net.

    UNIX> whois -h whois.arin.net NET-208-201-224-0-1
    Checking server [whois.arin.net]
    Results:

    OrgName:    SONIC.NET, INC.
    OrgID:      SNIC
    Address:    2260 Apollo Way
    City:       Santa Rosa
    StateProv:  CA
    PostalCode: 95407
    Country:    US

    ReferralServer: rwhois://whois.sonic.net:43

    NetRange:   208.201.224.0 – 208.201.255.255
    CIDR:       208.201.224.0/19
    NetName:    UU-208-201-224
    NetHandle:  NET-208-201-224-0-1
    Parent:     NET-208-192-0-0-1
    NetType:    Reallocated
    Comment:
    RegDate:    1996-09-12
    Updated:    2002-08-23

    OrgTechHandle: NETWO144-ARIN
    OrgTechName:   Network Operations
    OrgTechPhone:  +1-707-522-1000
    OrgTechEmail:  noc@sonic.net

    # ARIN WHOIS database, last updated 2004-01-18 19:15
    # Enter ? for additional hints on searching ARIN’s WHOIS database.

    From the output, you can see that we have a contact listed with a phone number and email address. This information is most likely for the ISP that serves the miscreant who is causing the trouble. Now, you have a solid contact who should know exactly who is behind badguydomain.com. You can let them know about the suspicious traffic you’re seeing and get the situation resolved.

    Previous
    Next
    » Web Server Recon Using netcat
Leave a Comment